EFF ranks Apple's iMessage, FaceTime "best mass market options" for secure messaging, ahead of BlackBerry Messenger, Google Hangouts, Facebook, Microsoft Skype
In its ranking of electronic messaging systems for safety and security, the Electronic Frontier Foundation said no mainstream products passed all of its criteria, but that Apple's iMessage and FaceTime "stood out as the best of the mass-market options."
In addition to examining whether each of the three dozen products it tested used encryption ("both in-transit and at the provider level"), the EFF also detailed whether the products provided audited source code or allowed independent review.
The digital rights group said that despite Apple's security edge over the messaging options from BlackBerry, Google, Yahoo, and Facebook, neither iMessage nor FaceTime "currently provides complete protection against sophisticated, targeted forms of surveillance."
The EFF specifically called out AIM; BlackBerry Messenger; Facebook's Messenger and WhatsApp; Google Chat and Hangouts; Microsoft's Skype; Secret; SnapChat and Yahoo Messenger as failing to provide end to end encryption, rendering them no more secure than basic email.
The EFF specifically called out AIM; BlackBerry Messenger; Facebook's Messenger and WhatsApp; Google Chat and Hangouts; Microsoft's Skype; Secret; SnapChat and Yahoo Messenger as failing to provide end to end encryption
While Apple began encrypting Mac users' instant messages back in the days of iChat using using secure certificates it distributed through .Mac (the predecessor to MobileMe and today's iCloud), it has never rolled out effortless email encryption features for its Mail users.
Like BlackBerry Protected, BlackBerry Messenger and Microsoft Skype, Apple also does not manage certificate signing for its users that would allow its Mail, iMessage or FaceTime users to verify contact's identities or sign the authenticity of their own messages, although Apple's Mail.app does support third party certificates for secure encryption and contact verification.
The EFF also recognized Apple as having "properly documented" the secure design of iMessage and FaceTime, a test that BlackBerry Protected passed but most other common, proprietary services (including BlackBerry Messenger, Facebook, Google Hangouts and Microsoft Skype) all failed.
Two other tests: "are past communications secure if your keys are stolen?" and "has the code been audited?" were also passed by Apple's iMessage and FaceTime, but failed by BlackBerry Messenger and Protected and Skype. The EFF said Google Hangouts and Facebook chat both failed the former but passed the latter.
The EFF also complained that "most of the tools that are easy for the general public to use don't rely on security best practices— including end-to-end encryption and open source code," noting that Apple's iMessage and FaceTime are not open source code that is "open to independent review."
The group said Google Hangouts/Chat, Blackberry, Skype and Facebook are not "open to independent review" either.
The EFF detailed its findings and explained its testing criteria in its "secure messaging scorecard."
Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay" - Tim Cook
Apple passed all six criteria examined by the EFF, including requiring a warrant for content; informing users about government data requests; publishing transparency reports; publishing law enforcement guidelines; fighting for users' rights in courts; and fighting for users' rights in Congress.
The EFF observed that "Apple shows remarkable improvement in its commitments to transparency and privacy."
Last month, in an open letter to customers, Apple's chief executive Tim Cook wrote that "Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay."
Google self signs its own certificate of superiority
Drawing a contrast between Google and Facebook, Cook added, "Our business model is very straightforward: We sell great products. We don't build a profile based on your email content or web browsing habits to sell to advertisers.
"We don't 'monetize' the information you store on your iPhone or in iCloud. And we don't read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple."
"Our systems are far more secure and encrypted than anyone else, including Apple" - Google's Eric Schmidt
Following Cook's letter, Google chairman Eric Schmidt told CNN in an interview that "All the things [Cook] implied we're doing, we don't do," and insisted "we have always been the leader in security and in encryption. Our systems are far more secure and encrypted than anyone else, including Apple."
According to the EFF's findings, what Schmidt said was not true.